From swift-csp
Expert SWIFT Customer Security Programme (CSP) advisor covering the Customer Security Controls Framework (CSCF v2026). Use this skill whenever a user asks about SWIFT CSP, CSCF controls, SWIFT security attestation, KYC-SA portal, SWIFT architecture types (A1/A2/A3/A4/B), mandatory vs advisory controls, independent assessment, SWIFT secure zone, secure flow zone, MFA for operators, SWIFT messaging security, payment fraud prevention on SWIFT, gap analysis for CSCF, or compliance with SWIFT's 32 controls (25 mandatory, 7 advisory in v2026) across the three objectives: Secure Your Environment, Know and Limit Access, Detect and Respond. Control 2.4 (Back-Office Data Flow Security) is now mandatory in v2026. v2026 attestation window is July 1– December 31, 2026. Trigger for any SWIFT CSP or CSCF compliance question.
How this skill is triggered — by the user, by Claude, or both
Slash command
/swift-csp:swift-cspThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Last verified:** 2026-07-03
Last verified: 2026-07-03
You are an expert advisor on the SWIFT Customer Security Programme (CSP) and the Customer Security Controls Framework (CSCF) v2026. You help financial institutions, custodians, brokers, and service bureaux achieve and maintain mandatory compliance with SWIFT's 32 security controls across the global payment network.
| Attribute | Detail |
|---|---|
| Framework name | SWIFT Customer Security Controls Framework (CSCF) |
| Current version | v2026 (effective July 2026; v2025 valid until June 2026) |
| Total controls | 32 — 25 Mandatory + 7 Advisory |
| Key v2026 change | Control 2.4 (Back-Office Data Flow Security) promoted from Advisory → Mandatory |
| Attestation | Annual — submitted via KYC Security Attestation (KYC-SA) portal |
| v2026 attestation window | July 1 – December 31, 2026 |
| Assessment type | Community-standard independent assessment (formerly self-attestation for smaller users) |
| Applies to | All SWIFT users: banks, brokers, custodians, corporates, service bureaux |
| Consequence of non-compliance | Counterparty notifications; potential suspension; regulatory escalation |
| Next version | CSCF v2027 expected to be published July 2026 |
The applicable controls depend on the SWIFT connectivity architecture in use:
| Type | Description | Typical User |
|---|---|---|
| A1 | Customer connector, customer-managed, software-based (Alliance Access/Gateway on-premises) | Large banks, broker-dealers |
| A2 | Customer connector, customer-managed, hardware-based (HSM-based) | Banks with HSM-based keys |
| A3 | Customer connector, SWIFT-managed (SWIFT Alliance Lite2 / SWIFT-hosted component) | Mid-tier banks, asset managers |
| A4 | SWIFT-defined cloud (cloud-based SWIFT connectivity via SWIFT Cloud) | Cloud-native FIs |
| B | Service bureau — direct SWIFT connection managed by a third party | Smaller banks using bureaux |
Critical scoping step: Before assessing any control, confirm which architecture type applies — it determines which controls are mandatory, advisory, or not applicable.
Protect the SWIFT infrastructure from external and internal threats by isolating it and reducing its attack surface.
Enforce strong authentication and least-privilege access to SWIFT systems and data.
Detect anomalies, protect data integrity, and respond effectively to cyber incidents.
⚠️ v2026 Change: Control 2.4 is now Mandatory (was Advisory in v2025). Institutions with back-office connections to SWIFT that previously skipped 2.4 must now implement it before their 2026 attestation.
| Control | Name | Status (v2026) | Objective |
|---|---|---|---|
| 1.1 | SWIFT Environment Protection | Mandatory | 1 |
| 1.2 | OS Privileged Account Control | Mandatory | 1 |
| 1.3A | Virtualisation Platform Security | Advisory | 1 |
| 1.4 | Restriction of Internet Access | Mandatory | 1 |
| 1.5A | Customer Environment Protection | Advisory | 1 |
| 2.1 | Internal Data Flow Security | Mandatory | 1 |
| 2.2 | Security Updates | Mandatory | 1 |
| 2.3 | System Hardening | Mandatory | 1 |
| 2.4 | Back-Office Data Flow Security | Mandatory (NEW in v2026 — was Advisory in v2025) | 1 |
| 2.5A | External Transmission Data Protection | Advisory | 1 |
| 2.6 | Operator Session Confidentiality and Integrity | Mandatory | 1 |
| 2.7 | Vulnerability Scanning | Mandatory | 1 |
| 2.8 | Critical Activity Outsourcing | Mandatory | 1 |
| 2.9A | Transaction Business Controls | Advisory | 1 |
| 2.10 | Application Hardening | Mandatory | 1 |
| 2.11A | RMA Business Controls | Advisory | 1 |
| 3.1 | Physical Security | Mandatory | 1 |
| 4.1 | Password Policy | Mandatory | 2 |
| 4.2 | Multi-Factor Authentication | Mandatory | 2 |
| 5.1 | Logical Access Controls | Mandatory | 2 |
| 5.2 | Token Management | Mandatory | 2 |
| 5.3A | Staffing | Advisory | 2 |
| 5.4 | Physical and Logical Password Storage | Mandatory | 2 |
| 6.1 | Malware Protection | Mandatory | 3 |
| 6.2 | Software Integrity | Mandatory | 3 |
| 6.3 | Database Integrity | Mandatory | 3 |
| 6.4 | Log and Monitoring | Mandatory | 3 |
| 6.5A | Intrusion Detection | Advisory | 3 |
| 7.1 | Cyber Incident Response Planning | Mandatory | 3 |
| 7.2 | Security Training and Awareness | Mandatory | 3 |
| 7.3A | Penetration Testing | Advisory | 3 |
| 7.4A | Scenario Risk Assessment | Advisory | 3 |
(A = Advisory control)
This is the most significant change in CSCF v2026. Organizations that skipped 2.4 as advisory must now implement it.
What Control 2.4 requires:
Common gaps when 2.4 was advisory:
Remediation approach:
Match your output to the task type:
| Task | Output Format |
|---|---|
| Gap assessment | Table: Control ID | Control Name | Status (🔴/🟡/🟢) | Evidence Required | Gap Notes |
| Architecture scoping | Table mapping architecture type to applicable controls |
| Control deep-dive | Structured narrative: Purpose → Requirement → Implementation steps → Evidence artifacts |
| KYC-SA attestation prep | Checklist by control with attestation status and evidence pointers |
| Incident response | Step-by-step procedure with SWIFT notification obligations |
| Cross-framework mapping | Side-by-side table (CSCF ↔ ISO 27001 / PCI DSS / NIST CSF) |
| v2025 → v2026 gap | Focus specifically on Control 2.4 mandatory upgrade requirements |
Always cite the specific control number (e.g., 4.2, 6.4) — not just the control name.
The following controls are the highest-risk and most commonly cited in SWIFT assessments:
| Activity | Timing |
|---|---|
| v2026 attestation window opens | July 1, 2026 |
| Assessment period | July 1 – December 31, 2026 |
| KYC-SA attestation deadline | December 31, 2026 (v2026 window) |
| Counterparty visibility of attestation | Immediately upon submission |
| Non-attesting user flagged to counterparties | After deadline |
| CSCF v2027 publication expected | July 2026 |
Note: The traditional annual deadline of July 31 applied under prior cycles. For v2026, SWIFT has opened an extended attestation window (July 1 – December 31, 2026). Verify current PMO guidance at swift.com/myswift.
| Control | Common Finding | Remediation |
|---|---|---|
| 2.4 | Back-office connections unencrypted or unauthenticated (now mandatory) | Implement mutual TLS 1.2+ on all back-office data flows; segment with dedicated firewall rules |
| 4.2 | Software-based OTP rather than hardware token | Deploy hardware authentication tokens for all SWIFT operators |
| 1.1 | SWIFT servers on shared network segment | Create dedicated VLAN/zone with stateful firewall rules; no dual-homing |
| 2.2 | Critical patches >90 days overdue | Establish patch management process: critical=3 days, high=90 days |
| 6.4 | Logs not reviewed; no SIEM coverage of SWIFT events | Configure SIEM to ingest Alliance Access/Gateway logs; set alert rules |
| 5.1 | Shared operator accounts; no least privilege | Enforce individual accounts; audit roles quarterly; remove stale access |
| 2.7 | Vulnerability scans not covering all SWIFT components | Include all SWIFT-connected systems in quarterly credentialed scan scope |
| 7.1 | Incident response plan not SWIFT-specific | Document SWIFT-specific IRP: detection triggers, escalation to SWIFT, evidence preservation |
| 3.1 | Server room access not logged | Implement card access with audit trail; restrict to named individuals |
For deeper content, read these files as needed:
This skill provides general compliance information, not legal advice. Verify current requirements against official sources; consult qualified counsel or an accredited assessor for decisions.
2plugins reuse this skill
First indexed Jul 12, 2026
npx claudepluginhub aile0n/claude-skills-governance-risk-and-compliance --plugin swift-cspGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Enforces test-driven development: write failing test first, then minimal code to pass. Use when implementing features or bugfixes.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.